Love, Bonito slapped with SG$24k fine over 2019 data breach

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

Omnichannel womenswear brand Love, Bonito has been fined SG$24,000 over a data breach in 2019, which compromised the personal information of over 5,500 customers. According to the Personal Data Protection Commission (PDPC), Love, Bonito's password policy for accounts allowing access to the website management software accounts was inadequate.

PDPC said that the Love, Bonito had adopted the software's default security settings, such as the required password length and lockouts after a number failed attempts. The brand also did not mandate periodic changes of passwords, despite the availability of this function on the software. "A robust password policy is a key security measure that an organisation must have in place to ensure that its IT systems are not vulnerable to common hacking attempts such as brute force attacks," PDPC added.

Additionally, the password of the administrator account was "ilovebonito88". Incorporating the brand's name can make account passwords easy to guess and more vulnerable. "A robust password policy is a key security measure that an organisation must have in place to ensure that its IT systems are not vulnerable to common hacking attempts such as brute force attacks," PDPC added.

Brute-force attacks are a common method of guessing passwords by systematically trying every possible combination of letters, numbers and symbols. Other weaknesses found in the company's IT systems included the lack of security monitoring for the Love, Bonito's network and a lack of system maintainance.

The maximum fine a company can face for a data breach is SG$1 million, PDPC said.

Since the data breach, Love, Bonito has made "significant improvements" to its data security systems and it has been constantly reviewing it to prevent such instances from happening again, the brand's spokesperson told MARKETING-INTERACTIVE. Additionally, seeing as hackers are constantly getting more advanced, the brand also hired an in-house security consultant and implemented IT security training for relevant members on its IT team to monitor various technology assets.

Love, Bonito also migrated to a cloud provider to have better control of its infrastructure, further redefined its IT security policies, implemented security validations such as 2FA and CAPTCHA across various platforms and continuously conduct bi-annual formal penetration tests to evaluate the security of its IT system, the spokesperson said. The brand added, "We acknowledge that such data breaches bring about much concern and frustration for many and we sincerely apologise for the inconvenience and anxiety that it has caused. We thank our customers for their continuous support over the years and want to assure them that it is our duty to safeguard their personal data. The team will continue to take the necessary precautions to protect their privacy."

In late November 2019, Love, Bonito noticed a significant drop in credit card authorisations for payments via the platform and discovered that the checkout page had been configured to load an incorrect form, which was not from the company nor its third-party vendors. Love, Bonito had implemented a fix to replace the incorrect form, but the problem resurfaced again in 9 December that year. It implemented a fix to allow the processing of credit card payments to resume through the platform.

The brand then temporarily suspended the credit card payment functionality on the checkout page and continued to investigate the issue alongside its vendors and a private forensic investigator. Love, Bonito later confirmed and sent an email notifying customers of the data breach. The compromised particulars included full names, addresses, contact details and even credit card data for some cases.

Separately, Love, Bonito raised US$50 million in its Series C funding in October last year, led by global investment firm Primavera Capital Group. The funds will be used to bolster efforts in existing omnichannel markets such as Singapore, Indonesia and Malaysia. With the added funding, the brand plans to expand its communities in omnichannel markets through its extended category offerings and community outreach, and by strengthening its loyalty program with more relevant brand partnerships and collaborations. It will also look to enhance its technology and data infrastructure to support its growth. At the same time, Love, Bonito will supercharge international expansion in markets that collectively are experiencing triple digits year-on-year growth, such as Hong Kong, Japan, Philippines and the US.

Love, Bonito also promoted chief operating officer Dione Song to CEO in April 2021, marking its first CEO in the company's history, according to co-founder Rachel Lim in a LinkedIn post. Song first joined Love, Bonito in 2017 as chief commercial officer before being promoted to chief operating officer in 2018.

share on